A sweeping law enforcement operation led by the UK’s National Crime Agency (NCA) this week took down LockBit, the notorious Russian-linked ransomware gang that has for years wreaked havoc on businesses, hospitals and governments in Worldwide.
The action resulted in the LockBit leak site, the seizure of its servers, multiple arrests and US government sanctions in one of the most significant operations against a ransomware group to date.
It’s also arguably one of the most innovative busts we’ve seen, with UK authorities announcing the seizure of LockBit’s infrastructure on the group’s own leak site, which now hosts a host of details about its inner workings gang — with the promise of more to come.
Here’s what we’ve learned so far.
LockBit didn’t delete victims’ data — even if they paid
It has long been suspected that paying a hacker’s ransom demand is a gamble and not a guarantee that the stolen data will be deleted. Some corporate victims have said so, saying they “cannot guarantee” their data will be deleted.
Removing LockBit confirmed for us that this is the case. The NCA revealed that some of the data found on LockBit’s seized systems belonged to victims who had paid ransoms to threat actors, “demonstrating that even when a ransom is paid, it does not guarantee that the data will be deleted, despite what the criminals have promised “, the the NCA said in a statement.
Even ransomware gangs fail to patch vulnerabilities
Yes, even ransomware gangs are slow to patch software bugs. According to the Malware Research Group vx-basement citing LockBitSupp, the alleged leader of the LockBit operation, law enforcement broke into the ransomware operation’s servers using a known vulnerability in the popular PHP web coding language.
The vulnerability used to compromise its servers is tracked as CVE-2023-3824a remote execution flaw fixed in August 2023, giving LockBit months to fix the bug.
“FBI f****d up servers via PHP, non-PHP backup servers can’t be touched,” reads LockBitSupp’s translated message on vx-underground, originally written in Russian.
Ransomware removal takes a long time
According to European law enforcement agency Europol, the takedown of LockBit, officially known as “Operation Cronos,” was years in the making. The agency revealed on Tuesday that its investigation into the notorious ransomware gang began in April 2022, about two years ago at the request of French authorities
Since then, Europol said its European Cybercrime Centre, or EC3, has held more than a dozen operational meetings and four week-long technical sprints to develop investigative evidence ahead of the investigation’s final phase: this week’s takedown .
LockBit has hacked more than 2,000 organizations
LockBit, which first entered the competitive cybercrime scene in 2019, has long been known to be one of, if not the most, prolific ransomware gangs.
Tuesday’s operation confirms that, and now the US Department of Justice has numbers to back it up. According to the DOJ, LockBit has claimed over 2,000 victims in the US and worldwide and received more than $120 million in ransom payments.
Sanctions targeting a key member of LockBit may affect other ransomware
One of the top LockBit members indicted and sanctioned on Tuesday is a Russian national, Ivan Gennadievich Kondratiev, who US officials allege is involved in other ransomware gangs.
According to the US Treasury Department, Kondratiev also has ties to REvil, RansomEXX, and Avaddon. While RansomEXX and Avaddon are lesser-known variants, REvil was another Russia-based ransomware variant that gained notoriety for high-profile hacks, making millions in ransom payments by breaching US network monitoring giant Kaseya.
Kondratiev was too was named a leader of a recently revealed LockBit sub-group called the “National Hazard Society”. Little else is known about this LockBit subsidiary, but NCA has promised to reveal more in the coming days.
The sanctions effectively bar US-based victims of Kondratiev’s ransomware from paying him the ransom he demands. Since Kondratiev has his hands in at least five different ransomware gangs, the sanctions are likely to make his life five times more difficult.
The British have a sense of humor
Some people (ie, me, a Brit) would argue that we already knew this, but the LockBit sting showed us that the UK authorities have a sense of humour.
Not only is the NCA mocking LockBit by mimicking the gang’s dark leak site for its own LockBit-related revelations, but we’ve also found various Easter eggs hidden within LockBit’s now-seized website. Our favorite is the various file names for the site’s images, which include “oh dear.png”, “doesnt_look_good.png” and “this_is_really_bad.png”.
Image Credits: TechCrunch
